With businesses and manufacturers looking to connect seemingly everything to the Internet, the one critical factor that often gets overlooked is security. As I’ve discussed in two previous blogs, failure to build adequate security into your Internet of Things (IoT) initiatives can expose your business to a number of significant risks.

For example, hackers could steal confidential corporate or consumer data—either directly from IoT devices or by using them as pathways into backend business system and corporate networks. Attackers could take control of self-driving cars, industrial controls, and even robots, causing property damage, factory downtime, or personal injury. Or, cybercriminals could use your products to take control of critical infrastructure, ranging from HVAC systems to smart buildings, and demand ransom. These threats have the potential to damage your brand, put you in non-compliance with strict privacy laws, and cause major inconveniences to customers—perhaps even endangering their lives.

Device protection and trusted code execution are central to IoT security. So ideally, any IoT device should have a secure boot capability consisting of several bootloader stages. At each stage of the secure boot process, software is verified using cryptographic checks and installed before the next bootloader stage is executed. The high security of the ARTIK platform requires each IoT device to support secure boot to validate the integrity of security-critical executables and stop the boot process if any executable is compromised.

Additionally, the secure boot parameters must be provisioned in hardware during the manufacturing process. On ARTIK SoMs, the secure boot verification process starts when the system is brought up from a cold boot. The first bootloader to get executed by the processor at power-on is implemented on ROM. This approach prevents unauthorized software from running when a device is powered up, and is essential to assuring device integrity and preventing hackers from injecting malware.

The ability to trust the software running on a hardware platform is one of the most fundamental principles of security. To ensure attackers cannot replace or modify software, each ARTIK-based IoT device must be equipped with an X.509 certificate issued by Samsung IoT Device certificate authority (CA) or third-party CA accredited by Samsung.

Each device must be able to update its firmware in a secure manner. With ARTIK, secure over-the-air (OTA) updates, combined with code signing, ensure that only signed, authentic code can run on a device.

Attackers may try to intercept or modify traffic between IoT devices or between devices and the cloud. Or they may attempt to send unauthorized commands or events to devices. Consequently, all transmitted data between each device and ARTIK cloud services (which run on the Samsung SmartThings cloud) must be protected. The ARTIK platform secures communications between different ARTIK-based devices and between those devices and the SmartThings cloud using encryption, industry-standard cryptographic algorithms, and mutual authentication using a shared root of trust.

IoT systems that don’t provide adequate protection for data stored locally on devices can adversely impact end users’ safety and put your brand at risk. Poorly-designed IoT systems without secure storage can also put you in non-compliance with a growing number of privacy regulations and guidelines. This means each device must provide secure storage to guarantee the confidentiality and integrity of data from any unauthorized access. The high security standards of the ARTIK IoT platform require each device to meet two storage requirements—it must provide secure storage to guarantee confidentiality and data integrity, and all storage security must be hardware-backed. Devices that do not meet these requirements cannot connect with the Samsung SmartThings cloud.

Secure storage of sensitive data must be hardware-backed and all cryptographic keys must be stored encrypted in hardware-backed secure storage. Most ARTIK SoMs include a Common Criteria EAL5 hardware Secure Element, which is optimized for IoT and provisioned with X.509 certificates and corresponding keys and identities inside secure storage. This, along with Secure Element Secure APIs, protect these sensitive assets over the entire device life cycle, especially during execution of cryptographic algorithms depending on these keys.

Each device must be identified uniquely. Each ARTIK SoM has a unique certificate injected during manufacture, which the SoM uses to establish its identity with the SmartThings cloud. The certificates are also stored in specialized hardware, making device identity resistant to software hacking.

As a key to secure communications, each device must provide certificate-based mutual authentication with the SmartThings cloud. The ARTIK platform also facilitates the onboarding process by using strong mutual authentication between a gateway device and the cloud registration servers. This prevents counterfeit or non-compliant devices from stealing cloud services and possibly damaging brand reputations.

Effective IoT device security requires that external device ports be disabled or protected from an authorized use. ARTIK SoMs provide Joint Test Action Group (JTAG) ports for debugging of the platform. However, access via JTAG opens up methods to bypass internally defined security mechanisms. To address this vulnerability, ARTIK SoMs support Secure JTAG, which requires the use of a password unique to each SoM to access the JTAG chain.

Samsung created the ARTIK IoT platform to raise the overall security capabilities of IoT systems to counter growing threats. Samsung ARTIK is an end-to-end, edge-to-cloud platform which provides the 10 must-haves of IoT security. By building on ARTIK, you can bring new IoT products to market quickly without worrying about extensive security development.

Yes! Connect me with Samsung IoT partners to hear more about their products and services. *

* By checking either box, you may receive notifications by phone, email, text, and/or other electronic means from Samsung Semiconductor, Inc. and its affiliates. If you choose to receive partner notifications, we may forward your contact information to ourpartners. You may unsubscribe from these services at any time by clicking on the unsubscribe link in our communications or by submitting a request here. Please see our Privacy Policy and Terms of Use for more information about how your data is stored and used.